AAD Password Sync, Encryption and FIPS compliance Enterprise Mobility Security. Howdy folks,A couple weeks back, Taylor Higley asked a question on Twitter about Azure AD Password Sync, MD5 and FIPS compliance My reply was a bit cryptic and prompted replies from Eric Kool Brown and Brian Arkills that pointed out that one way hashes cant be decrypted at least not without some brute forcing This blog post is a follow up to that conversation with more details now that I can take advantage of the luxury of having a more than 1. So, why does Password Sync fail to run on a Federal Information Processing Standard FIPS compliant machine and what is going on under the covers This is because FIPS compliant systems bar the use of MD5 hash algorithms, so they block Password Sync when the tool tries to access MD5 functions. Does Password Sync use MD5 functions for encryption The answer is No. Heres what is actually going on under the covers. Beyond-Sync-Standard.jpg' alt='Best Directory Sync Program' title='Best Directory Sync Program' />User passwords are stored as a non reversible hash in Windows Server Active Directory Domain Controllers DCs. Avr Software Usb there. When our password sync agent attempts to synchronize the password hash from a DC over a secure RPC interface, the DC encrypts that password hash using an MD5 key. The MD5 key that the DC uses is derived from the RPC session key and a salt. Best Directory Sync Program' title='Best Directory Sync Program' />Once this happens, the password hash is now wrapped in an MD5 encryption envelope. The password sync agent gets this encrypted password hash from the domain controller over the secure RPC interface. The following is a code snippet how the MD5 hash key is generated. Compute. Md. 5byte session. Key, byte salt                     byte data new bytesession. Key. Length salt. Length             Buffer. Block. Copysession. Key, 0, data, 0, session. Sync.Breeze.6.0.141.png' alt='Best Directory Sync Program' title='Best Directory Sync Program' />CTERA provides an enterprisegrade alternative to consumer cloud applications EFSS enterprise file sync share, utilizing private cloud infrastructure and. Howdy folks, A couple weeks back, Taylor Higley asked a question on Twitter about Azure AD Password Sync, MD5 and FIPS compliance My reply was a bit. If youve been using your computer to manage the apps for your iOS device, that time has come to an end. The latest update to Apples iTunes removes its access to. Key. Length             Buffer. Block. Copysalt, 0, data, session. Key. Length, salt. Length             using MD5 md. WinDataReflector-Full-_2016-05-05_17-17-36.png' alt='Best Directory Sync Program' title='Best Directory Sync Program' />Free Download Google Backup and Sync Google Drive 3. Keep and share anything with this storage utility that integrates into Gmail an. A while ago, all it took to be a great password manager was to keep your passwords in an encrypted vault. Now the best password managers give you the option to sync. Best Directory Sync Program' title='Best Directory Sync Program' />MD5. Crypto. Service. Provider                             return md. Compute. Hashdata                     Once the Password sync agent has the encrypted password hash it uses MD5. Crypto. Service. Provider to generate a hash key used for decrypting the envelope containing the password hash. At no point in time does the password sync agent have access to the clear text password. The password sync agent then secures the password hash by re hashing it using a stronger SHA2. RFC 2. 89. 8 before uploading it to the cloud. So when MD5. Crypto. Service. Provider is used in a FIPS compliant environment, it throws a System. Invalid. Operation exception. This is because the MD5 hash is considered a weak hash and not recommended for use in a FIPs environment. However since it is not being used to do encryption, we believe this is a non issue. Password Sync can be enabled in a FIPS compliant system by locally disabling FIPS for the Directory Sync process. This can be done by adding lt enforce. FIPSPolicy enabledfalse in the miiserver. The miiserver. exe. Program. Files Windows Azure Active Directory Sync. SYNCBUSSynchronization Service. Bin miiserver. exe. For more information here, refer to http social. I hope this is helpful and provides clarity for everyone interested in this issue. As always, would love to get any feedback or suggestions you have Best Regards,Alex Simons twitter AlexASimonsDirector of PMActive Directory Teamupdated 732.